registry  /  @alienplatform/cli  /  1.10.7

@alienplatform/cli@1.10.7

Alien Developer Platform CLI

AI Security Review

scanned 11d ago · by lpm-firewall-ai

No confirmed malicious attack surface in this package source. It is a CLI shim that locates and runs an Alien platform-specific binary only when the user invokes the alien command.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs the alien CLI command
Impact
Executes the intended Alien CLI binary with inherited stdio, arguments, and environment; no source evidence of exfiltration or unauthorized install-time behavior.
Mechanism
Platform-specific binary launcher
Rationale
Static inspection shows a standard npm CLI wrapper with no lifecycle hooks and no network, credential, persistence, or destructive behavior in the package source. The child_process and process.env usage are package-aligned for launching the intended platform binary on explicit CLI invocation.
Evidence
package.jsonbin/alien.jsvendor/<target>/alienvendor/<target>/alien.exe

Decision evidence

public snapshot
AI called this Clean at 89.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • bin/alien.js uses child_process.spawn to execute a platform binary from optional dependency vendor path
  • bin/alien.js forwards process.env and CLI args to that binary at runtime
Evidence against
  • package.json has no lifecycle scripts, so no install-time execution in this wrapper package
  • package.json files only include bin; extracted package contains only package.json and bin/alien.js
  • bin/alien.js resolves only @alienplatform/cli-${platformKey} optional dependencies or local vendor paths
  • No credential harvesting, filesystem writes, persistence, destructive actions, eval/vm, or network endpoints found
  • The npm install text is only an error message advising reinstall, not a package-manager invocation
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 2.19 KB of source

Source & flagged code

2 flagged · loading source
bin/alien.jsView file
2L3: import { spawn } from "node:child_process" L4: import { existsSync } from "node:fs"
High
Child Process

Package source references child process execution.

bin/alien.jsView on unpkg · L2
52console.error( L53: `Could not find alien binary for ${platformKey}.\nTry reinstalling: npm install -g @alienplatform/cli`, L54: ) ... L58: // Spawn the binary, forwarding all arguments and stdio L59: const child = spawn(binPath, process.argv.slice(2), { L60: stdio: "inherit",
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/alien.jsView on unpkg · L52

Findings

3 High1 Medium1 Low
HighChild Processbin/alien.js
HighShell
HighRuntime Package Installbin/alien.js
MediumEnvironment Vars
LowFilesystem